Privacy Policy
YarHealth · https://health.yarbros.net · Effective date: June 12, 2026
1. Overview
YarHealth is a personal health data dashboard operated for the private use of its owner and their immediate family members and invited guests. The application is not open to the public. Authorized users are granted access individually by the application owner. Because YarHealth processes health data belonging to individuals located in or covered by the European Economic Area (EEA) or similar jurisdictions, we apply the principles of the General Data Protection Regulation (GDPR) to all users regardless of location.
2. Data Controller
The data controller for personal data processed in YarHealth is The Yarbros, operated by Rob Belcher. Questions about your data may be directed to theyarbot@gmail.com or through the Settings page at https://health.yarbros.net/settings.
3. Data Collected
YarHealth collects and stores the following categories of personal data: • Sleep metrics retrieved from connected devices (Oura Ring and Withings), including bedtime, wake time, sleep duration, sleep stages, heart rate, HRV, respiratory rate, sleep score, and efficiency. • Activity and body composition data retrieved from Withings devices, including step count, calories burned, weight, body fat percentage, muscle mass, bone mass, and visceral fat index. • OAuth access tokens and refresh tokens for Oura and Withings, used solely to retrieve health data on the user's behalf. Tokens are stored encrypted at rest and are never exposed client-side. • AI-generated narrative summaries and health insights derived from aggregated health metrics. • Authentication credentials (email address and hashed password) managed by Supabase Auth. • Date of birth, collected at account creation to verify age eligibility. • Session cookies used to maintain authenticated sessions.
4. Legal Basis for Processing (GDPR)
Where GDPR applies, YarHealth processes personal data on the following legal bases: • Consent (Article 6(1)(a)): You authorize YarHealth to access your Oura or Withings data by completing the OAuth connection flow. You may withdraw consent at any time by disconnecting your device from the Settings page. • Legitimate interests (Article 6(1)(f)): Maintaining security logs and session state to protect the application and its users. • Explicit consent for special category data (Article 9(2)(a)): Sleep, activity, and body composition metrics constitute special category health data under GDPR. By connecting a device, you explicitly consent to this data being retrieved, stored, and analyzed for personal health visualization and coaching purposes.
5. Use of Data
Health data retrieved from connected devices is used solely for: • Displaying personal health analytics and trends to the authorized user. • Generating AI-powered narrative summaries of sleep sessions and health insights. • Generating AI-powered correlations and coaching insights across connected data sources using aggregated, non-identifiable metrics. No data is sold, shared, licensed, disclosed, or transferred to any third party for any commercial purpose.
6. Data Retention
Sleep session, activity, and health data is retained for as long as you maintain an active account with YarHealth. User data is automatically deleted following 24 months of account inactivity. You will be notified before automated deletion occurs. You may request deletion of all your data at any time via the Settings page. Upon deletion, all health sessions, narratives, AI-generated insights, and device connection tokens are permanently removed. If you disconnect a device without deleting your account, historical session data is retained unless you also request data deletion.
7. Your Rights Under GDPR
If GDPR applies to you, you have the following rights, exercisable at any time: • Right of access (Article 15): Request a copy of all personal data we hold about you. • Right to rectification (Article 16): Request correction of inaccurate data. • Right to erasure (Article 17): Request deletion of all your personal data (right to be forgotten). Use the Delete Account option in Settings. • Right to restriction of processing (Article 18): Request that we limit how we process your data in certain circumstances. • Right to data portability (Article 20): Download a structured copy of your data in JSON format from the Settings page. • Right to object (Article 21): Object to processing based on legitimate interests. • Right to withdraw consent: Disconnect your Oura or Withings account at any time via Settings, which revokes YarHealth's access to future data. • Right to lodge a complaint: You have the right to lodge a complaint with your local data protection authority if you believe your data has been processed unlawfully. The lead supervisory authority for YarHealth under GDPR is the Irish Data Protection Commission (dataprotection.ie). To exercise any of these rights, use the Settings page or contact the application owner at theyarbot@gmail.com.
8. Data Storage and Security
Data is stored in a private cloud database (Supabase) hosted in the European Union (Ireland, eu-west-1 region), protected by row-level security policies that restrict access to authenticated sessions. All connections use HTTPS. OAuth tokens are stored server-side only and are never included in client-side code or browser storage. YarHealth has executed Data Processing Agreements with Supabase and Vercel covering the processing of personal data under GDPR.
9. International Transfers
YarHealth's primary data infrastructure (Supabase database and Vercel serverless functions) is hosted in the European Union. AI narrative generation and health insights use Anthropic's API, which processes data in the United States. This transfer is covered by Standard Contractual Clauses under Anthropic's commercial Data Processing Agreement. Only aggregated, non-identifiable health metrics are sent to Anthropic for AI processing — no names, user identifiers, dates of birth, or raw personal data are included in these requests.
10. Third-Party Services
YarHealth integrates with the following third-party services: • Oura Health: Retrieves sleep and health metrics from Oura Ring devices. Subject to Oura's Privacy Policy. • Withings: Retrieves sleep, activity, and body composition metrics from Withings devices. Subject to Withings' Privacy Policy. Withings may receive notification of data erasure requests as required by their partner terms. • Supabase: Database and authentication infrastructure hosted in the EU (Ireland). A Data Processing Agreement is in place. Subject to Supabase's Privacy Policy. • Vercel: Application hosting with serverless functions running in the EU (Frankfurt). A Data Processing Agreement is in place. Subject to Vercel's Privacy Policy. • Anthropic: AI-generated health narratives and insights are produced using Anthropic's API under a commercial Data Processing Agreement. Only aggregated, non-identifiable metrics are sent. Subject to Anthropic's Privacy Policy. YarHealth does not control the data practices of these providers beyond the terms of the executed Data Processing Agreements.
11. Cookies and Tracking
YarHealth does not use analytics cookies, advertising cookies, or any third-party tracking. Session cookies are used solely to maintain authenticated sessions and are strictly necessary for the application to function. No consent banner is required for strictly necessary cookies.
12. Age Requirement
YarHealth requires users to be at least 16 years of age. Users under 16 may not create accounts or connect health devices. Access by minors under 16 is not permitted without verified parental consent, in accordance with GDPR Article 8. Date of birth is collected at account creation to verify eligibility.
13. Changes to This Policy
This policy may be updated at any time to reflect changes in the application or applicable law. The effective date above reflects the most recent revision. Authorized users will be notified of material changes at least 14 days before they take effect.
14. Contact
Questions or requests regarding this privacy policy or your personal data may be directed to theyarbot@gmail.com. To exercise your data rights, use the Settings page at https://health.yarbros.net/settings.